On Sat, 1 Dec 2001, Charles Steinkuehler wrote: > > I like doing this, but there are concerns with doing it in anything less > > than a perfectly trusted environment: If your log host is unavailable, > > you're not logging; if malicious listeners are on the LAN, they can see > > everything you log (could be quite useful when scanning or rooting a > > server); if malicious users are on the LAN, they can flood the listening > > syslog server and prevent real logs from getting through. > > > > syslog-ng is supposed to fix a lot of these problems, but I've never > > gotten around to taking a look at it. > > Or just grab a bunch of multi-port serial cards from e-bay, and setup a > log-host using serial links. You can keep the log host disconnected from > the net entirely (or more likely, keep it's interface un-configured, and > bring it up/down manually if you ever need to network). >
I saw this suggested in one of my paranoiac books (maybe "Network Intrusion Detection Analyst's Handbook"?) -- but they went one better by suggesting that you then copy everything to lp on the loghost. Hook up an old dot matrix printer with a Costco-sized case of paper, and you've got court-admissible documentation of everything that happens on your network. -- Jack Coates Monkeynoodle: A Scientific Venture... _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
